Operating Systems

and Security
Operating systems are the foundation of modern computing,

providing the framework for all software to run. In today's

interconnected world, securing the operating system is

paramount. This presentation explores the multifaceted world of

operating system security, delving into the essential aspects of

protecting your data, privacy, and devices.

 Concepts

Protection:
Mechanisms and policy to keep programs and users from
accessing or changing stuff they should not do
Internal to OS

Security:
2

Issues external to OS
Authentication of user, validation of messages, malicious or
accidental introduction of flaws, etc.
The Importance of OS Security
Data Confidentiality
Operating systems protect sensitive information from
unauthorized access. This is especially crucial for
businesses and individuals handling confidential data,
such as financial records, medical information, or
intellectual property.
User Privacy
A secure operating system safeguards user privacy by
controlling access to personal information, browsing
history, and other sensitive data. It also protects against
tracking and surveillance by unauthorized entities.
System Integrity
A secure operating system ensures the integrity of the
system, preventing malicious software from altering core
system files, compromising performance, or causing
instability. This safeguards against malware infections and
data corruption.
System Availability
A secure operating system protects against denial-of-
service attacks and other vulnerabilities that could disrupt
system availability. This ensures uninterrupted access to
essential services and data.
preencoded.png
Common Security Threats to Operating Systems
1 Malware Infections
Viruses, worms, Trojans, and ransomware can exploit
operating system vulnerabilities to gain unauthorized
access, steal data, or disrupt system operations. These
threats can spread rapidly through networks or infected
files.
3 Social Engineering Attacks
These attacks manipulate users into revealing sensitive
information or granting access to malicious software.
Phishing emails, fake websites, or malicious links can
deceive users into compromising their systems.
2 Exploiting Vulnerabilities
Cybercriminals constantly search for weaknesses in
operating systems. They exploit these vulnerabilities
through zero-day attacks, using previously unknown
flaws to gain unauthorized access and compromise
systems.
4 Unsecured Networks
Weak network security practices leave operating
systems vulnerable to attacks. Open ports, outdated
software, and weak passwords can expose systems to
intrusion and data breaches.
Securing the Boot Process
1 Secure Boot
This feature verifies the authenticity of the boot loader and
operating system before loading them. It prevents
malicious software from loading before the operating
system starts, enhancing security.

2 BIOS/UEFI Security
Securing the BIOS/UEFI firmware is critical. It prevents
unauthorized access and manipulation of the boot
process. This includes setting strong passwords, disabling
unnecessary features, and keeping the BIOS/UEFI
firmware updated.
(Unified Extensible Firmware Interface)

3 Trusted Platform Module (TPM)

The TPM is a hardware security module that provides
cryptographic functions to ensure the integrity and
security of the boot process. It stores encryption keys and
other sensitive data, protecting them from unauthorized
access.

The Trusted Platform Module
(TPM) is a specialized hardware
component designed to secure
hardware through integrated
cryptographic keys.
Unified Extensible Firmware
Interface (UEFI)
Both BIOS and UEFI play crucial roles in the boot process of a computer.
UEFI, being the modern standard, provides better functionality and future-
proofing compared to BIOS. UEFI is the successor to BIOS, offering more
advanced features and improved performance.
Access Control and Authorization

1 Authentication
Verifying the identity of users, devices, or processes before
granting access.

2 Authorization
Defining and enforcing access permissions based on the
principle of least privilege.

3 Audit Logging
Maintaining comprehensive records of all access attempts
and activities.
preencoded.png
preencoded.png
preencoded.png
File system Permissions and Access Controls
Permissions Description

Read Allows users to view the contents of a file or directory.

Write Allows users to modify the contents of a file or create new

files within a directory.

Execute Allows users to run files or scripts within a directory.

Access Control Lists (ACLs) Provide granular control over who can access specific files
and directories, defining permissions for individual users
and groups.
Keeping the OS Up-to-Date
Security Patches
Software updates often include security patches that
address vulnerabilities and fix bugs. By keeping the
operating system and its applications up-to-date, you
mitigate the risk of exploitation.

Automatic Updates
Enable automatic updates to ensure that your operating
system is always up-to-date with the latest security
patches. This eliminates the need for manual updates,
reducing the risk of vulnerabilities.

Software Updates
Ensure that all software applications running on your
system, including utilities, drivers, and third-party programs,
are also kept up-to-date with the latest security patches and
updates.
Utilising Firewalls and Network Security
Firewall Protection
Firewalls act as a barrier
between your system and the
internet, blocking
unauthorized access and
malicious traffic. They
examine incoming and
outgoing network traffic and
apply rules to filter and block
suspicious connections.
Strong Passwords
Use strong passwords for all
accounts, including network
access, Wi-Fi connections,
and user accounts. A strong
password includes a
combination of uppercase
and lowercase letters,
numbers, and symbols,
making it difficult to guess.
Secure Network VPN Protection
Protocols A Virtual Private Network
Use secure network (VPN) encrypts your internet
protocols like HTTPS and traffic and routes it through a
SSH (Secure Shell) for secure server, protecting
communication and data your online activities and data
transfer. These protocols from snooping and
encrypt data, preventing censorship.
eavesdropping and
unauthorized access to
sensitive information.
 WHAT I S S N OOPI NG
An unauthorized access or interception of data. It's like
eavesdropping, but with digital information.
Types of Snooping:
1.Network Snooping:
▪ Involves intercepting data packets as they travel over a network.
▪ Tools like packet sniffers can capture and analyze this data.
2.Email Snooping:
▪ Unauthorized reading of someone else’s emails.
▪ Can be carried out by hackers or even insiders with access to
email systems.
3.File Snooping:
▪ Involves unauthorized access to someone else's files on a
computer or network.
▪ Can happen if someone leaves their computer unlocked or
shares passwords.
 SNOOPING …
Risks and Consequences:
•Privacy Breach: Personal and sensitive information can be exposed.

•Data Theft: Confidential data can be stolen and misused.

•Security Threats: Snooping can lead to further security breaches, including identity

theft or corporate espionage.

Preventive Measures:
•Encryption: Encrypt data to protect it from unauthorized access.

•Network Security: Use secure network protocols and firewalls to safeguard data in

transit.

•Access Control: Implement strong access controls and monitor systems for
Malware Protection and Incident
Response
Antivirus and Antimalware
Detecting, preventing, and removing malicious software to
protect the system.

Incident Response
Implementing a structured process to identify, contain, and
recover from security incidents.

Forensic Analysis
Investigating security breaches to determine the root cause and
gather evidence.
Staying Ahead of Evolving
Threats
Threat Intelligence Continuously monitoring and
analyzing the latest security
threats and trends.

Adaptive Security Implementing flexible and

responsive security measures
to adapt to changing attack
vectors.

Automation and AI Leveraging advanced

technologies to enhance
detection, response, and
prediction capabilities.
openHPI Course: Cyberthreats by Malware

Protective Measures

Prof. Dr. Christoph Meinel

Hasso Plattner Institute
University of Potsdam, Germany
Protective Measures against Malware:
Program Updates (1/2)

Program updates close system vulnerabilities and

eliminate security risks
■ Use of older software versions = security risk
■ Risk of abuse of publicly known vulnerabilities

Install updates as soon as they are available

■ Manufacturers do not find all errors during test phase
■ Many security gaps in programs are often only
discovered during the usage
□ Also through attacks or analysis by external experts
■ Known security vulnerabilities can usually be closed by
smaller update packages
Protective Measures against Malware:
Program Updates (2/2)

Program updates
■ Currently, most programs automatically provide
information on available updates
■ There are helper-applications that automatically check
for updates of installed software
■ Even good antivirus programs check that the installed
software is up-to-date

But with all updates:

■ Trustworthiness of source of updates must always be
checked to ensure that the updates are genuine
■ Otherwise, updates can become a vulnerability that
could be exploited to malware installation or cyber
attacks
Protective Measures against Malware:
Anti-Virus Software

■ Anti-virus software provides methods for detecting

malware installed in the computer system
■ Detects viruses, worms, trojans, spyware, scareware
and other malware types
□ also called anti-malware software
■ It also monitors Internet connections and warns about
accessing unsafe websites
■ The program should be a mandatory component of each
system to ensure that the computer system is secure

➢ Excursus on Anti-Virus Software

Protective Measures against Malware:
Backups

Many malware attacks on the Internet result in data loss

or damage
■ In case of data loss due malware or damage to the
operating system, data can be restored using previously
created backup copies
■ Important and personal data must be backed up
regularly
■ Many systems offer automatic data backup at predefined
intervals
■ Store (encrypted) backup on external media or in the
cloud
□ if an attacker manages to gain access to the
computer, the user could lose access to backups
Protective Measures against Malware:
Firewalls

■ Firewalls monitor Network Connections and the

corresponding traffic
■ Can prevent unauthorized connection attempts
■ Additional protection against network attacks, such as
attacks from backdoors and botnets
■ Local firewall only works on the machine on which it is
installed
■ Network firewall checks all network traffic and is
usually installed on connection nodes between the local
network and the Internet

➢ Excursus on Firewalls
Protective Measures against Malware:
“Healthy“ Suspicion – Always Be Careful!

Suspicion is the most effective protection that could be

done by the users against malware infections
■ Best protection mechanisms are no longer effective if
the user opens non-trustworthy content
■ When installing new software, always check
manufacturer and origin of the software
■ Verify signature of the software to be installed /
updates (can be done automatically)
■ If a warning appears, a manual verification is necessary
■ Only install software that is really needed
□ do not install unnecessary applications, additional
features, or optional plugins - they provide an
unnecessary access point for attackers
Protective Measures against Malware:
“Healthy“ Suspicion – Always Be Careful!

■ Turn off active content (Flash, Java, Active X) in the

web browser by default as it provides a number of
different attack and intrusion opportunities
■ Open email attachments only if
□ the sender is known and the text can be assigned to
the sender
□ an email with attachments was expected
■ Keep calm with (often faked!) online warnings and
requests for payment of fines
■ Check installed software and remove all unused
programs
Protective Measures against Malware:
Mobile Devices (1/2)

■ Get applications only from trusted sources

□ preferably only from official App Stores
□ be careful with (new) apps with no or few ratings
■ Keep apps and operating system of the mobile device
always up to date
□ timely installation of updates
■ Create backups
□ system can be restored from old backup in case of
infection
Protective Measures against Malware:
Mobile Devices (2/2)

Always grant apps only minimal permissions

■ Could be set up during initial startup or in the settings
■ Select permissions according to the app’s functions
□ Example: Flashlight app does not require access to
the contact list

Application permisions for iOS

Application permisions for Android
openHPI Course: Digital Identities – Who am I on the Internet?

Password Length and its Importance

Prof. Dr. Christoph Meinel

Hasso Plattner Institute
University of Potsdam, Germany
 Properties of Secure Passwords

Passwords are “strong" when they are complex and difficult to guess
Some advice for choosing good passwords:
■ Passwords should be case-sensitive and should contain both
uppercase and lowercase letters
■ Combinations of multiple words are also useful (Passphrase)
■ In addition to letters, passwords should contain digits and
special characters ($% &:; -_? §! ...)
■ Minimum length 12
□ The longer the password length, the higher the security
(because with each additional character the complexity
increases exponentially)

■ No passwords from user context or dictionary

■ No old passwords that have already been used
Strong Passwords
Summary

Secure passwords...

■ ...contain upper and lower case letters, numbers and

special characters

■ ...are at least 12 characters long

■ ...cannot be found in the dictionary

■ ...cannot be derived from the user context

■ ...are not reused

Password Length

Password length has a great influence on the

strength/security of a password and the efficiency of possible
password attacks.
Reminder: Notes on generating secure passwords:
□ Upper and lower case letters
□ Different character classes (letters, numbers, special
characters ($% &:; -_? §! ...))
□ At least 12 characters long
□ Not from the dictionary
□ Cannot be derived from the user context
□ No reuse

What are the reasons for these indications?

Brute Force Attacks (1/2)

Brute force attacks are the simplest and most

straight forward attacks to crack a password
■ Idea: Systematic testing of all possible character
combinations for selected character classes at a
given length
■ With sufficient time resources Brute Force always leads to
the goal, so to find a password
■ Calculation formula for the number of all password
candidates:

Number_of_password_candidates = (range_of_characters)Password length

Brute Force Attacks (2/2)

Idea: Systematic testing of all possible character

combinations for selected character classes at a given
length.

Number_of_password_candidates = (range_of_characters)Password_length

Expected value for the average number of attempts to find

a password:

Average_number_of_attempts = Number_of_password_candidates/2

To protect against brute force attacks, the number of

password candidates must be as large as possible.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 1

o
36 = 36
* Time required to generate all possible password candidates, when ≙ < 0,001 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 2

o 4
36 * 36 = 1.296
* Time required to generate all possible password candidates, when ≙ < 0,001 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 3

o 4 w
36 * 36 * 36 = 46.656
* Time required to generate all possible password candidates, when ≙ < 0,001 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 4

o 4 w f
36 * 36 * 36 * 36 = 1.679.616
* Time required to generate all possible password candidates, when ≙ < 0,001 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 5

o 4 w f 7
36 * 36 * 36 * 36 * 36 = 60.466.176
* Time required to generate all possible password candidates, when ≙ < 0,001 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 6

o 4 w f 7 q
36 * 36 * 36 * 36 * 36 * 36 = 2.176.782.336
* Time required to generate all possible password candidates, when ≙ ~ 0,022 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 7

o 4 w f 7 q 2
36 * 36 * 36 * 36 * 36 * 36 * 36 = 78.364.164.096
* Time required to generate all possible password candidates, when ≙ ~ 0,784 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 8

o 4 w f 7 q 2 1
36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 = 2.821.109.907.456
* Time required to generate all possible password candidates, when ≙ ~ 28,211 sec*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 9

o 4 w f 7 q 2 1 n
36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 = 101.559.956.668.416
* Time required to generate all possible password candidates, when ≙ ~ 16,927 min*
100 billion passwords can be generated per second.
Calculation of the
Number of Possible Password Candidates

Example: Password consists of lower case letters …

■ abcdefghijklmnopqrstuvwxyz: 26 possible characters
…and numbers.
■ 0123456789: 10 possible characters
Number of possible characters in each position: 26 + 10 = 36
Password length = 10

o 4 w f 7 q 2 1 n t
36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 * 36 = 3.656.158.440.062.976
* Time required to generate all possible password candidates, when ≙ ~ 10,156 h*
100 billion passwords can be generated per second.
Cracking Complexity

Alphanumeric +
Password Figures Numbers + lower case Alphanumeric Special characters 0-
length [0-9] letters [0-9a-z]. [0-9a-zA-Z]. 9a-zA-Z$% &:; -
until
_? §!...]
5 < 1 sec < 1 sec < 1 sec < 1 sec
6 < 1 sec < 1 sec < 1 sec ~ 7,43 sec
7 < 1 sec < 1 sec ~ 35,79 sec ~ 11,76 min
8 < 1 sec ~ 29,02 sec ~ 36,99 min ~ 18,62 hours
9 < 1 sec ~ 17,41 min ~ 1,59 days ~ 2,43 months
10 < 1 sec ~ 10,45 hours ~ 3,25 months ~ 19,24 years
11 ~ 1 sec ~ 2,24 weeks ~ 16,82 years ~ 18.28 c.
12 ~ 11 sec ~ 1.55 years ~ 10.43 century almost eternal
13 ~ 1.85 min ~ 55,79 years almost eternal almost eternal
14 ~ 18.5 min ~ 20.08 century almost eternal almost eternal
15 ~ 3.09 hours almost eternal almost eternal almost eternal
…
20 ~ 35.33 years almost eternal almost eternal almost eternal

Time needed to create all possible password candidates when 100 billion
passwords can be generated per second